Main Menu

Securing the Wire

I received an email the other day informing me that my credit card had been improperly billed and that if I wanted it rectified all I had to do was reply providing them with my credit card number and expiration date.

Consider, for a moment, how many things were wrong with that solicitation. If they knew I had been improperly billed then I should just be credited. If they knew my number to know that I had been improperly billed then they knew it to credit me back. The email address at which they were contacting me was not tied in any way to any credit card. In the portion of the note that tried most to alarm me, they misspelled pornography. Finally, none of my credit cards had this charge on it. I am sure you can come up with even more "what's wrong with this picture" items.

And yet, some small percentage of the people contacted will respond with all of this information. In many cases, we are the weak link in any security system. As programmers, we can not, for the most part, save people from themselves. We can not programmatically keep them from deliberately giving other people crucial information. We can, however, help them from inadvertently doing so.

When you are sitting at a coffee shop enjoying a wireless connection, you may not be thinking about the other people sharing that connection who can sniff packets and see what you are sending and receiving. One of my friends was setting up automatic discovery on his home network so that he could connect to his printer from any machine in the house. He noticed that he also was able to see many of the machines on his street that were connected through their cable modems. A quick call to his neighbors to have them set up their firewalls and all was right in his world.

In the book excerpt, Securing the Wire, Pankaj Kumar writes about this situation, saying

"Raw TCP packets flowing through a data network may be incomprehensible, even invisible, to a normal user fostering a sense of security, but in reality, the data in these packets are very accessible to those with the appropriate tools and know-how. The data networks over which these packets flow were not designed to protect the information from malicious folks and provide little or no security. With the help of programs freely available over the Internet, one can easily view, analyze and filter, on a normal PC, all the data being exchanged by machines on the same LAN. What it means is that a rogue neighbor, subscribing to the same cable or DSL ISP (Internet Service Provider) as you, can easily collect your account names and the passwords on different websites, including those from your online broker or bank, without you ever being suspicious."

Kumar's excerpt shows you how to use the SSL API for Java which "is modeled after socket-based networking API and it is fairly straightforward to modify existing TCP programs to use SSL. Using JCA-compliant API to plug different implementation of cryptographic services and to build and install key managers and trust managers provides an extensible framework to use security components from different sources."

I was going to whine about the difficulties in traveling until I caught James Gosling's story about Hell on the road to Prague in today's featured Weblogs . James had one of those trips where he had to pay (with time, money, and inconvenience) for repeated small avoidable mistakes. Be warned that the language, though completely appropriate, is "adult" at times.

This post reminded me of Doc Searls' keynote at ApacheCon yesterday where he talked about this ecosystem and this "kindness of strangers". Someone asked Doc how we convince big companies who don't "get it yet" and Doc answered "go to work for them." He pointed around the room at folks active in Apache who work for IBM, BEA, Sun, and others. In addition to providing Apache and their employers value - they help each entity understand the other.

In Also in Java Today, we link to Andreas Schaefer's ONJava article Inside class loaders. He writes that you are often dealing with class loaders without thinking about it and "many 'container-type' applications such as J2EE servers, web containers, NetBeans, and others are using custom class loaders in order to limit the impact of classes provided by a component, and thus will have an impact on the developer of such components."

Vladamir Silva has taken a different tack with managing X.509 certificates in grid applications. He has written a set of APIs to "help system administrators with the tedious task of managing user and host certificates in development grids. Java Certificate Services is written to work specifically with the Globus and the Java CoG toolkits." He details this tool in his article on Java Certificate Services .

Registered users can submit news items for the
href="http://today.java.net/today/news/">java.net News Page using our news submission form.
All submissions go through an editorial review by news director Steve
Mallet before being posted to the site. You can also subscribe to the
href="http://today.java.net/pub/q/news_rss?x-ver=1.0">java.net News RSS
feed.

Registered users can submit event listings for the
href="http://www.java.net/events">java.net Events Page using our
href="http://today.java.net/cs/user/create/e"> events submission form.
All submissions go through an editorial review before being posted to the
site.

This blog is delivered weekdays as the
href="http://today.java.net/pub/q/java_today_rss?x-ver=1.0">Java Today RSS
feed. Once this page is no longer featured as the front page of
href="http://www.java.net"> java.net it will be archived at
href="http://today.java.net/today/archive/index_11202003.html">
http://today.java.net/today/archive/index_11202003.html. You can
access other past issues in the
href="http://today.java.net/today/archive/">java.net Archive.